Thanks to Rowland Yu of SophosLabs for his behind-the-scenes work on this article.

It’s normal for Android apps to download plugins. The main application might just be a “view folder” while plugins provide much of the functionality. It’s not so normal when one of those plugins tries to steal your SMS messages.

SophosLabs has discovered two apps on Google Play with plugins that do just that. Both are from a developer named New.App. The apps have been on Google Play since May and have attracted between 100,000 and 500,000 downloads so far. Labs has detected the threat as Andr/SpyAgnt-X.

One app is billed as an app store shortcut feature, while the other is for “Skin Care Magazine”.

When the apps start, they launch a new process in the class of adb.core.Mgr to download an addition plugin called abs.plugin.as.jar from the remote website hxxp://45.79.83.140/plugin/10/abs.plugin.as.jar.

The malicious .jar payload will check if the device SDK version is between 4.2 to 4.4. If so, it then requests an SMS permission, reads all messages in the SMS inbox and sends messages to remote websites.

There are thousands of different plugins in the wild. Some of them are embedded in apps while others are downloaded dynamically at runtime. This means that distinguishing if these plugin are malicious or not will be challenging work.

You should try asking yourself whether you have good reason to trust us – or any other app vendor that is new to you.

Do we have a reason to ask for the permissions we do? How long has our product been around in Google Play? When you read up on the history of Sophos, look at our website, search for us in the media, do you get a mostly favourable impression? What effort do we put into community engagement, free tools and giving advice that is there primarily to help rather than to close deals?

Does our website show the breadth, depth and objectivity you would expect of a company that has earned its reputation rather than purchased it or concocted it? Do you know someone who has tried our product whom you can ask on person, rather than relying on reviews in the Play Store? How widely used is our product? Can you find reference to our product in any third party tests that don’t just sound like “pay to play” marketing fluff?

If you need to contact us, complain to us, complain about us, report us to Google or the regulator, and so forth…

…do you think that the contact details we’ve provided on our website are accurate enough to do so, or do we sound like a cover story for a holding company that doesn’t want to be found?

(This is not meant to be a glib or satirical answer. Judging the reputation of any app you install, especially one you expect to leave running in the background to keep an eye on things, is a bit like marriage – not an undertaking to be entered into lightly. The tricky part is finding genuinely independent sources that you can reliably combine to form an objective opinion. If the “reviews” you read are written by shills paid by the vendor, and the “test” results are just a report that was commissioned on the vendor’s dime, you don’t have evidence, you just have marketing material 🙂

My opinion is that Sophos does stand up to scrutiny, and that a reasonable person would trust our Android anti-virus (and any of our other products, too).

If you know that these applications are not right for us to use then why do you still have it in the Google play store???.. If you want to give money away I can surely use some… And you won’t have to worry about publicity or none of that nonsense…

Paul, I’ve just purchased my first Android phone — Blackberry’s KeyONE — and I’m trying to keep out of grasp of Google as much as possible. Is there a way to download the Sophos Android app without Google Play? I’ve used the Amazon App Store to download known trusted apps such as Facebook Messenger etc. but unfortunately yours is not on there.

We don’t have official any off-market downloads, I’m afraid. You could just sign in to Google Play, download the app and then sign out again – same for other apps you want to install from the Play Store. (I do that – I don’t leave myself logged in all the time to any online service, from Google to Facebook.)

If you have a test phone with a Play account that you can use to fetch apps, and if your daily driver “Play-free” phone allows sideloading, you could always transfer the APK from the test phone to the other device using the Android Debug Bridge. I sometimes do that to install our app into firmware builds that don’t contain Google Apps, or from a regular phone into a vanilla emulator image.